Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-26985

Zabbix Agent 2 smartctl plugin RCE vulnerability in Zabbix 5.0 (CVE-2025-27234)

XMLWordPrintable

    • Icon: Defect (Security) Defect (Security)
    • Resolution: Fixed
    • Icon: Major Major
    • None
    • None
    • Agent2 plugin (G)
    • None

      CVE ID CVE-2025-27234
      CVSS score 7.3 (High)
      CVSS vector CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
      Affected components Agent2 plugin
      Summary Zabbix Agent 2 smartctl plugin RCE vulnerability in Zabbix 5.0.
      Description Zabbix Agent 2 smartctl plugin does not properly sanitize smart.disk.get parameters, allowing an attacker to inject unexpected arguments into the smartctl command. In Zabbix 5.0 this allows for remote code execution.
      Known attack vectors An attacker could request Agent 2 to monitor a metric with malicious arguments in the smart.disk.get metric.
      Affected and fix version/s Affected: 5.0.0 - 5.0.46 → Fixed: 5.0.47
      Mitigation Update the affected components to their respective fixed versions.
      Workarounds Remove smartctl or use strict item key parameter validation with AllowKey/DenyKey.

            zabbix.support Zabbix Support Team
            jnulle Janis Nulle
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: